Tag Archives: Alessandra G. Masciandaro

The Arrival of 2023 U.S. State Privacy Laws – Part 2: Colorado Update

by Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, Alessandra G. Masciandaro, and Ned Terrace

The figure provides photos of the authors

From left to right: Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

On February 1, 2023, the Colorado Attorney General (“COAG”) held a public hearing as part of its rulemaking process for the Colorado Privacy Act (“ColoPA”). Ahead of the hearing, the COAG released its third draft of proposed rules (“proposed rules”) for the ColoPA. Here in Part 2 of our 2023 U.S. State Privacy Laws series, we review key components of the proposed rules and takeaways from the public hearing. Part 1 of this Data Blog series discussed recent developments in the rulemaking for the California Privacy Rights Act.

This post addresses the timeline for COAG rulemaking and the current proposed rules relating to (1) new responsibilities for controllers related to consumer rights, (2) privacy notices, (3) universal opt-out mechanisms, (4) consent for processing sensitive data, (5) biometric data, (6) data minimization, (7) data protection assessments, and (8) profiling. Companies subject to ColoPA should review their practices to ensure compliance before ColoPA’s July 1, 2023 effective date.

Continue reading

The Arrival of 2023 U.S. State Privacy Laws – Part 1: California Update

by Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

The figure provides photos of the authors

From left to right: Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

2023 has arrived, and with it comes a novel patchwork of privacy requirements arising out of comprehensive state privacy laws that have been adopted (or amended) by legislatures in California, Virginia, Colorado, Connecticut and Utah. Although privacy practitioners have been busy analyzing these laws and assisting clients with compliance efforts, rulemaking in California and Colorado has made this a moving target. We’ve previously blogged about how companies can prepare for these laws, and how enforcement and guidance under the GDPR might shed light on how some of these laws will be applied. In this series of posts, we will track key rulemaking developments as well as trends in compliance efforts, with practical takeaways for covered companies to consider as these laws, and the regulatory expectations around them, mature.

Continue reading

California’s Age-Appropriate Design Code Act Expands Businesses’ Privacy Obligations Regarding Minors

by Avi Gesser, Johanna N. Skrzypczyk, Michael R. Roberts, Michael J. Bloom, Martha Hirst, and Alessandra G. Masciandaro

On September 15, 2022, California Governor Gavin Newsom signed into law the bipartisan AB 2273, known as the California Age-Appropriate Design Code Act (“California Design Code”). The California Design Code aims to protect children online by imposing heightened obligations on any business that provides an online product, service, or feature “likely to be accessed by children.” Governor Newsom stated that he is “thankful to Assemblymembers Wicks and Cunningham and the tech industry for pushing these protections and putting the wellbeing of our kids first.”  The California Design Code’s business obligations take effect on July 1, 2024, though certain businesses must complete Data Protection Impact Assessments “on or before” that date.

In this post, we outline the California Design Code and its compliance requirements, compare it to pre-existing privacy regimes, and conclude with key takeaways for businesses to keep in mind as they adapt to the ever-changing privacy landscape.

Continue reading

Utah Joins the Comprehensive State Privacy Law Club

by Avi GesserJohanna N. Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

On March 24, 2022, Utah enacted a comprehensive consumer privacy law, the Utah Consumer Privacy Act (“UCPA”). The UCPA, effective on December 31, 2023, is largely consistent with other comprehensive state privacy laws, but includes several key differences. The UCPA is set to be reviewed by the attorney general who must submit a report to the legislature by July 1, 2025.

In prior posts, we have written about the evolving state privacy law landscape, including how to prepare for state privacy laws coming into effect in 2023 here; various aspects of the CCPA and CPRA, including here and here; and the Virginia Consumer Data Protection Act (“VCDPA”) here. For purposes of this post, we refer collectively to the CCPA/CPRA, VCDPA, and ColoPA as the “State Privacy Laws.”

Continue reading